7 hours 2 minutes
It's chris again and I'm
cyber is instructor for its US information privacy course.
I hope that you're having a great day wherever you are
looks like the weather is broken here for us in Maryland
so we should have a good stretch of good weather
and I'm thankful for that.
Less than 3.4
we're going to continue our discussion on the Office of Management and budget is guidance that it provides to
executive branch agencies and the federal government as it applies to privacy.
You know a. b. memorandum 1712
it's abuse not only to those agencies and the executive branch that must comply with it
but those of you that our privacy
Professionals in the private sector you may find that only be memorandum 1712 is a useful tool
because it helps organizations
and preparing for and responding to breaches of personally identifiable information
we have to learning objectives.
We're gonna talk about guidance at this
memorandum gives executive branch agencies on how to prepare for a breach of P. Ii. And we're also going to talk about those response requirements stated in memorandum 17 12. All these agencies
can respond to a breach of P. I.
Now it's extremely important you in the private sector to continue to look
beyond your own policies, procedures, guidelines and standards
to look externally for
best practices on how you can improve your organizations institutions or your company's
incident response procedures
and other procedures that pertain to privacy.
So let's talk about A. And B. Memorandum 17 12.
a really wonderful tool
it provides you with great insides templates and guidance on how to prepare for and respond to a breach of P. I. I.
one B. Memorandum that dealt with the incident response
as it applied to a breach of P. I
won't be memorandum 17 07 16
one B. Memorandum 06 19 and only be memorandum 16 or 0615 My apologies.
You know A. And B. When it provided this guidance, it understood that
not only private sector organizations but public sector organizations also processed
That had engaged in
lifecycle management, the collection use
processing, storage, maintenance, dissemination, disclosure and disposal of P. I.
And I wanted to make sure that on that fateful day should an organization experience of breach P. I. I was prepared to do so.
You know, we talked about P. Ii. We've talked about and defined it in previous modules. We talked about names, addresses, dates of birth,
your places of employment.
We talked about Social Security number. Other government identified themselves. Now we're talking about precise locational data, medical history, biometrics and others.
And we have a responsibility as organizations to ensure that we're protecting that information from the time is collected until the time we dispose of it.
You know on that fateful day you can't just wake up and address a privacy breach
at that time it's too late. You have to be prepared for it in this memorandum will assist you in doing so.
You know we've defined P. Ii. We've talked about any information that distinguishes our traces
uh individual or can be linked
directly and directly to an individual as to find. And I wanna be circular 81 30
as we talked about previously.
Now one thing that memorandum 1712 does it makes a distinction between what's an incident and what's a breach
when we're talking about incidents? Security incidents. No they it defines an incident as an occurrence that one actually imminently jeopardise us without lawful authority. The integrity confidentiality or availability of information or an information system or two constitutes a violation
or imminent threat of violation of law, security policies, security procedures or acceptable use policies.
Now it defines a breach as the loss of control compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrences were one a person other than an authorized user excesses or potentially accesses person identified information or to
an authorized user accesses and potentially accesses personally identifiable information for other than authorized purpose.
So it seeks not only to prepare organizations for external threats but also internal threats.
ways that you can prepare for it and talked about training and awareness camp planes which are extremely important. You can't hold individuals accountable if you haven't trained and then assess the level of that training.
It also accounts for addressing disclosures of Privacy Act routine use information like we talked about during our discussion on the privacy after 1974
so that when you have system of records notice is they have to address the routine uses of the disclosure, potential disclosure of P. I.
And in the cases of breaches, which requires some type of notification that we're going to talk about
talks about, you know, requirements for contractors because you could have a breach that occurs at a contractor site and so they need to be prepared to respond to. Those.
Also talks about the need to also have and identify logistical and technical support that you might need that's not already on your staff. So you may have to budget for that as your accounting for potential breaches in the future.
You know, this memorandum has requirements on reporting on suspected or confirmed breaches
and it says that,
you know, you have to these agencies have to report these bridges even if you suspected because any to land the notification could expose organization or individuals to greater harm.
It talks about the importance of establishing a breach response plan,
identifying a breach response team. Makes you have the applicable privacy compliance documentation documentation on hand, ensuring that you have the information sharing procedures in place to assist you in responding to a breach reporting requirements
To us cert within 24 hours of a breach into Congress within seven days of the discovery of the breach. And then I follow up within uh 30 days
talks about the importance of assessing risk of harmed individuals, mitigating uh risk of harm, then notifying individuals potentially harmed by the breach.
We've talked about the external reporting requirements again too,
U. S. A certain
Computer emergency response team within 24 hours
of realizing that the breach has occurred,
Uh notifying Congress within seven within seven days with a follow up within an additional 30 days.
You know, when we talk about assessing harm to individuals, it's extremely important.
And things that you should consider are
the nature and sensitivity of the
P. I. Potentially compromised by the breach, the likelihood of access and use of that P. I.
A. Type of breach.
Question one asked the question
Won't be Memorandum Team 12 provides federal agencies and the executive branch with what
the appropriate answers are. B. And D.
Question to ask, how does one be Memorandum 17 12 to find an incident?
The appropriate answers are A and D.
Won't be Memorandum 1712 defines a breach as what
the appropriate answers are. B and C.
Question four asked
federal agencies must notify the appropriate congressional committees and compliance with which reporting requirements.
B and D.
Kunshan Five asked a question about the Ceo who manages this process.
The same shall consider which of the following factors when assessing the risk of harm to individuals potentially affected by the breach.
The answers are A C and D.
You know, having work in the
private sector for some time.
You know, I have supported agencies that was funding for two breaches because it's not if it's when it affects you and breaches occurred, not only in the private sector for the public sector.
What's important is that we, as privacy professionals,
are prepared to respond to
and also are prepared for dealing with breaches so that we protect our organizations from any potential rescue harms associated with the breach.
We talked about
17 12 16 agencies are preparing for potential breaches and responding to those. Its definition of incident in breach
had us as harm.
Penetration Testing and Ethical Hacking
The Penetration Testing and Ethical Hacking course prepares students for certifications, like CEH. This course ...
7 CEU/CPE Hours Available
Certificate of Completion Offered
Privacy Program Management
In this Privacy Program Management training course, students will learn privacy program strategies, applicable laws ...
4 CEU/CPE Hours Available
Certificate of Completion Offered